Red Hat OpenShift Do: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0986
    Red Hat OpenShift Do openshift/odo-init-image 1.1.3 security update
                               23 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Do
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Root Compromise                 -- Existing Account      
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Overwrite Arbitrary Files       -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12403 CVE-2020-12402 CVE-2020-12401
                   CVE-2020-12400 CVE-2020-12243 CVE-2020-8177
                   CVE-2020-7595 CVE-2020-6829 CVE-2020-1971
                   CVE-2019-20907 CVE-2019-20388 CVE-2019-19956
                   CVE-2019-17498 CVE-2019-17023 CVE-2019-17006
                   CVE-2019-15903 CVE-2019-14866 CVE-2019-12749
                   CVE-2019-11756 CVE-2019-11727 CVE-2019-11719
                   CVE-2019-5188 CVE-2019-5094 CVE-2018-20843

Reference:         ESB-2021.0864
                   ESB-2021.0845
                   ESB-2021.0691

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0949

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat OpenShift Do openshift/odo-init-image 1.1.3 security update
Advisory ID:       RHSA-2021:0949-01
Product:           OpenShift Do
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0949
Issue date:        2021-03-22
Keywords:          odo, developer, cli, iterative development, containers, openshift, kubernetes
CVE Names:         CVE-2018-20843 CVE-2019-5094 CVE-2019-5188 
                   CVE-2019-11719 CVE-2019-11727 CVE-2019-11756 
                   CVE-2019-12749 CVE-2019-14866 CVE-2019-15903 
                   CVE-2019-17006 CVE-2019-17023 CVE-2019-17498 
                   CVE-2019-19956 CVE-2019-20388 CVE-2019-20907 
                   CVE-2020-1971 CVE-2020-6829 CVE-2020-7595 
                   CVE-2020-8177 CVE-2020-12243 CVE-2020-12400 
                   CVE-2020-12401 CVE-2020-12402 CVE-2020-12403 
=====================================================================

1. Summary:

Updated openshift/odo-init-image container image is now available for Red
Hat Openshift Do 1.0.

2. Description:

Red Hat OpenShift Do (odo) is a simple CLI tool for developers to create,
build, and deploy applications on OpenShift. The odo tool is completely
client-based and requires no server within the OpenShift cluster for
deployment. It detects changes to local code and deploys it to the cluster
automatically, giving instant feedback to validate changes in real-time. It
supports multiple programming languages and frameworks.

Red Hat OpenShift Do openshift/odo-init-image 1.1.3 is a container image
that is used as part of the InitContainer setup that provisions odo
components.

The advisory addresses the following issues:

* Re-release of odo-init-image 1.1.3 for security updates

3. Solution:

Download and install a new CLI binary by following the instructions linked
from the References section.

4. Bugs fixed (https://bugzilla.redhat.com/):

1832983 - Release of 1.1.3 odo-init-image

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/updates/classification/#low
https://docs.openshift.com/container-platform/4.4/cli_reference/openshift_developer_cli/installing-odo.html

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYFhtvtzjgjWX9erEAQhdHg/7BWivBhQJI+Bs6OfgypsaRpNVq0hp0rXN
DndSw2nut3kk4wvH3pi6sSClKT1exuoKVeQ/6sSnxMgvUgz1nCkHYBY5MuC1bu3X
/I/Ct0RM1aLRE7f/2P2q9sZXKuZO2gKcl6QwW/5k5mJGY0Pj1h+c4EAipA5srbp+
A0KrVFlv95jpqydmyQj2LbxcKguJEcyU/+safTL3BXAT196BwHel35ZJPjnGkb+K
vT9Rr67jmCE474C5MFVDsGrWejqtBqwS38AU4hBlPLEX7wUCYBBzCqxU4TuBLds/
dpGb8OmVFkeARsClPd9+a6g4lCQmwnarndjRT9r2GCaxpn2oGrqGXMOcJglx6CNY
qzoAKQCkz22W037vbmBTMFh5VVELNjhO0Zh0gmL8Dy9gmwRK7oSCIiSfO9944Bwf
YHxnP63IUnznB7ZpeyrSzVhRhZ/PbOoFXJ+gG0vg/T5M024yuNiK2Z3ghPvhcT26
+bXBFWHK+KAHAnoZJajXqsdUGPlSB8PAfwt4bkjReDfG7VNFctOlmjjNkyVkVBG5
ToO3KjH+oU2k5/ww5EbVR74yP1lAEAnafmOa6XfF7UFuCi91maxrLmgmaUjz/ibi
UKbkmtcWNgFhJ3GB4Tp7tohxZZk6Nyu/x9VXg+kPyTc/bISe2GgA3ER82ZE5BxDw
fGiplxCJYtQ=
=VXNN
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYFkrSeNLKJtyKPYoAQhO/xAAjhtBUoCxT2t/AUw7OA6wriEzL4CJq+UH
wkEO6k1l3ghXCUpcOuG607Glfety56Lk7WSpmUQAEUYTE3Yp4m0GgvQyNuu70xAz
3hDQIJ+9VV3UMbm3CsBmY8agF09fSCbIB1CGoCxXGO5QzH4vwLuO2FmBEK/WPhhw
hqkqr3c4aywEeo/TDaj2COU93TqF7SAjeymheYoYcdpsW4gPZEB0uWC8s2oekB2h
FLS1nSvaZb/vzx4zw6Fplxou8mqHPoTfMfzIdDAhsvm6887FXE/4VuR4QDFObGk3
fu+evyb+hty8h4xbzx6ielan8xGaIr4iGhLlD/mQRwubcrBnd1vJt13DKCJ1UdXs
BE46Lh2w7QAhEj5ekVxN0Fa8Myfz2T0MDo7yWa8ZfK3O1FtreHNvX5HT7k8YgtkK
84oiJHJbSwHk+KD07MAooJz2IR13NZ2QcmGDrQnKXEHlv5MMRaTdm8sgtDkmHc6H
FBgQC5yv0VHpbgIp9nq3eWNNAYwlRZTeO7tiT+6uVZMOzV31cNhx1ivA/UBmmvMf
VCv+NOHKBeu2DnUZdCmTPfa6JjPi+Kdp5DIc4/qrsmUvFI/BRfxpAfRVAuLGqEk0
xUL/eZ97rQ+i5RG8fgs1b7lxi+8v4F+yhDO5nxZ4u5JN2q0Hj9cuJH83RPFtPg+p
IVigiWQDw3c=
=Ix3i
-----END PGP SIGNATURE-----